RE: [PATCH] iommu/vt-d: Avoid NULL pointer dereference or refcount corruption

Next message: Herbert Xu: "Re: [linus:master] [mm] c6307674ed: BUG:sleeping_function_called_from_invalid_context_at_mm/vmalloc.c"
Previous message: Liu, Yuan1: "RE: [PATCH v4 0/2] mm/memory hotplug/unplug: Optimize zone contiguous check when changing pfn range"
In reply to: Zhenzhong Duan: "[PATCH] iommu/vt-d: Avoid NULL pointer dereference or refcount corruption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tian, Kevin

Date: Wed Apr 22 2026 - 04:04:45 EST

> From: Duan, Zhenzhong <zhenzhong.duan@xxxxxxxxx>
> Sent: Wednesday, April 22, 2026 11:36 AM
>
> Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after
> WARN_ON_ONCE")
> fixed a NULL pointer dereference in an unlikely situation partly.
>
> If dev_pasid is not found in the dev_pasids list, it remains NULL.
> However, the teardown operations are executed unconditionally, this lead
> to a NULL pointer dereference or refcount corruption.
>
> If the domain was never attached to this IOMMU, info will be NULL, which
> would cause an immediate dereference when checking --info->refcnt.
>
> Even if info is not NULL, decrementing the refcount without having removed
> a valid PASID might unbalance the count. This could lead to premature
> dropping of the refcount to 0, potentially causing a use-after-free for the
> remaining active devices sharing the domain.
>
> Fix it by returning early if dev_pasid is NULL, before executing the
> teardown operations.
>
> Issue found by AI review and suggested by Kevin Tian.
> https://sashiko.dev/#/patchset/20260421031347.1408890-1-
> zhenzhong.duan%40intel.com
>
> Fixes: 60f030f7418d ("iommu/vt-d: Avoid use of NULL after
> WARN_ON_ONCE")
> Suggested-by: Kevin Tian <kevin.tian@xxxxxxxxx>
> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@xxxxxxxxx>

Reviewed-by: Kevin Tian <kevin.tian@xxxxxxxxx>